ProCurve 2610 Manual page 249

Table 9-2. ACL Rule and Mask Resource Usage
ACE Type
Standard ACLs
Implicit deny any (automatically included in any standard ACL, but not displayed by show access­
list < acl-# > command).
First ACE entered
Next ACE entered with same ACL mask
Next ACE entered with a different ACL mask
Closing ACL with a deny any or permit any ACE having the same ACL mask as the preceding ACE
Closing ACL with a deny any or permit any ACE having a different ACL mask than the preceding ACE
Extended ACLs
Implicit deny ip any (automatically included in any standard ACL, but not displayed by show access-
list < acl-# > command).
First ACE entered
Next ACE entered with same SA/DA ACL mask and same IP or TCP/UDP protocols specified
Next ACE entered with any of the following differences from preceding ACE in the list:
– Different SA or DA ACL mask
– Different protocol (IP as opposed to TCP/UDP) specified in either the SA or DA
Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an IP ACE with the
same SA and DA ACL masks
Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an IP ACE with different
SA and/or DA ACL masks
Rule Usage
There is only one implicit "deny any" entry per device for CLI ACLs,
■
and one implicit "deny any" entry per device for IDM ACLs.
■ The implicit "deny any" entry is created only the first time an ACL is
applied to a port. After that the port-map is updated for that "deny
any" entry to include or remove additional ports.
Each ACE, including the implicit deny any ACE in a standard ACL,
■
uses one rule.
There is a separate rule for every ACE whether the ACE uses the same
■
mask or a new mask.
■ Two hardware rules are used for any "permit" ACE with TCP or UDP
specified. One rule is for normal packets and one is for fragmented
packets.
Table 9-2 on page 9-17 summarizes switch use of resources to support ACES.
Access Control Lists (ACLs)
Planning an ACL Application
Rule Usage
1
1
1
1
1
1
1
1
2
1
1
1
9-17